Imperative: Make SSH as Hard as a Steel Trap
By Daniel Abrams
Special to YNOT
In the previous security article, I discussed FTP security. This time around, I will discuss hardening your Secure Socket Shell.
SSH is a network protocol that provides administrators and webmasters with a secure way to access a server using a client like Putty or SecureCRT, to name but two.
People tend to take SSH for granted. They see the “Secure” in SSH and assume protocol is hardened by default. Not so. SSH is vulnerable if not properly set up. This is a big problem, because SSH allows access to the server, which allows the user command-line access. A hacker with command-line access could wipe the hard drive clean with one command: rm -rf /. Or, they could retrieve sensitive data or install a rootkit that would allow them to access and manipulate the server remotely at a later date.
SSH security is of the highest priority. Here are some measures to harden your SSH:
First and foremost: Never provide SSH access to any outside party. Within your company or group, limit SSH access to only a select few whom you trust with your life and who have a valid reason for shell access. This is especially critical when granting root Normal Shell access.
Via WHM / cPanel or comparable control panel, disable SSH Password Authentication.
Via WHM / cPanel or comparable control panel, generate SSH Keys (private and public). Download the keys. Configure your SSH client to authenticate using Public Key.
Change your SSH password on a regular basis. Change your SSH password monthly or when you suspect that your server has been hacked. When choosing a password, choose a strong one: a random alphanumeric sequence that also contains special characters. A good tool for generating strong passwords is our Password Sentry’s PassMeter.
Every time you change your password, you will need to re-generate your SSH Keys and re-download the new keys for use by your SSH client.
Use a IP whitelist. Only grant SSH access on the basis of IP address.
For domain-specific SSH accounts (yours and/or reseller accounts), use Jailed Shell Access, a limited and restrictive environment within which users can perform whatever functions they need in relation to file system and server environment, but they can’t access the root.
SSH is an amazing protocol that allows you to do amazing things. But, in the wrong hands, it can be the most dangerous weapon directed against your server. Protect it well, and ensure you harden it like a steel trap.